Data Privacy/Cyber Security9th November 2016

With you today . . .

Sourabh SharmaDirector, Cyber Security, EY Kuwait

Role: Kuwait Cyber Security Leader and IS Governance MENA champion

AgendaIntroduction to cyber security

Cyber Security Attacks

MENA context

Mitigation steps and best practices

1234

Introduction to Data privacy5Need of privacy6Global landscape and regulation7Approach to implement privacy8

Is Cyber Security a real issue?

Source: Global Risks Perception Survey 2014

Economic risks

Geopolitical risks

Environmental risks

Societal risks

Technological risksMen made environmental

catastrophes

Average4.56

State collapse

Oil price shock

Organized crime and illicit trade

Chronic diseases

3.5 4.0 4.5 5.0 5.5

Decline of importance of US$ Mismanaged urbanization

Corruption

Economic and resource nationalization

Failure of critical infrastructure

Terrorist attack

Interstate conflict

Liquidity crises Antibiotic-resistant bacteria

Global governance failure

Natural catastrophes

Failure of financial mechanism or institution

Cyber attacksIncome disparity

Unemployment and underemployment

Climate changeFiscal crises

Water crises

Biodiversity loss and ecosystem collapseCritical information

infrastructure breakdown

Weapon of mass destruction

Political and social instability

PandemicFood crises

4.0

4.5

5.0Im

pact

Likelihood Plotted area

Extreme weather events

Data fraud/theft

4.31Average

What we hear from you…

36% of Global 

Information Security Survey  conducted by  EY in 2015 respondents say that it is “unlikely” or “highly unlikely” that their organization would be able to detect a sophisticated attack.

69% say their information security 

budget needs to rise by up to 50% to protect the company in line with management’s risk tolerance.

57% of organizations say that lack of skilled 

resources is one of the main obstacles that challenge their information security.

18% do not have an Identity and Access Management program while in 2014, this figure was 12% — this represents a serious drop.

36% of respondents do not have a threat intelligence program

88% of respondents do not believe their information security fully meets the organization’s needs

47% of organizations do not have a Security Operations Centre

FY2015 FY2016

56% of respondents have identified data leakage/ data loss prevention as a high priority requirement over next 12 months

Some major cyber attacks

Some major cyber attacks contd..

► The US carrier was hacked in 2011, but said no account information was exposed. ► They warned one million customers about the security breach. ► Money stolen from hacked business accounts was used by a group related to Al Qaeda to fund

terrorist attacks in Asia. According to reports, refunding costumers cost AT&T almost $2 million

$2 million – AT&T

► Hacked in April to June 2011, Sony is by far the most famous recent security attack. ► Sony reportedly lost almost $171 million, after its Playstation network was shut down by LulzSec► Hack affected 77 million accounts and is still considered the worst gaming community data

breach ever. Attackers stole valuable information: full names, logins, passwords, e-mails, home addresses, purchase history, and credit card numbers

$171 million – Sony

► Hacked in June 2011, hackers exploited a basic online vulnerability and stole account information from 200,000 clients. Because of the hacking, Citigroup lost $2.7 million.

► Just a few months before the attack, the company was affected by another security breach. ► It started at Epsilon, an email marketing provider for 2,500 large companies including Citigroup. ► Specialists estimated that Epsilon breach affected millions of people and caused overall $4 billion loss.

$2.7 million – Citigroup

► Anonymous members hacked the US research group and published confidential information from 4,000 clients, threatening they could also give details about 90,000 credit card accounts.

► Hackers stated that Stratfor was “clueless…when it comes to database security”. ► According to the criminal complaint, the hack cost Stratfor $2 million.

$2 million – Stratfor

► Oman-based Bank of Muscat lost US$40-million and United Arab Emirates-based National Bank of Ras Al Khaimah PSC (RAKBANK) lost US$5-million in the global heist

► US and German authorities have so far arrested nine — seven in the US and two in Germany — for their alleged involvement in the $45 million pre-paid travel card fraud

► Global criminal organisation members hacked into two outsourced credit card processors and used stolen data to make more than 40,500 withdrawals in 27 countries

$39 million: Bank Muscat$4.7 million: RAKBANK

Where does MENA stand- GCI

Channels of attack► Social engineering

has moved onto social networks, including Facebook and LinkedIn.

► Attackers use social engineering, which goes beyond calling targeted employees and trying to trick them into giving up information.

► Some of the most dangerous attacks originate within the organization

► These attacks can be the most devastating, due to the amount of damage, a privileged user can do and the data they can access.

► Expect cybercriminals to spend a lot of time perfecting what they know best, such as making sure their botnets have high availability and are distributed.

Soci

al e

ngin

eerin

g

Inte

rnal

thre

ats

Bot

nets

► Issue of trust comes into play in the mobile world as well; with many businesses struggling to come up with the right mix of technologies and policies to hop aboard the BYOD trend.

BYO

D a

nd M

obile

s► With more

companies putting more information in public cloud services, those services become tempting targets, and can represent a single point of failure for the enterprise.

► Even with an increasing attention being paid to HTML5 security, the newness of it means that developers are bound to make mistakes as they use it, and attackers will look to take advantage

Clo

ud s

ecur

ity

HTM

L5

► Attackers are learning from the steps researchers are taking to analyse their malware, and are designing malware that will fail to execute correctly on any environment other than the one originally targeted.

Prec

isio

nTa

rget

ed M

alw

are

► Application vulnerabilities are another channel or reason because of which the cyber attack could happen

App

licat

ion

Vuln

erab

ilitie

s

What is driving the trend

Increasing cyber attacks threatening ICT security

MENA Geo-political scene

Global / regional compliance

National InformationSecurity Strategy

Maturity/ Competenceof state agencies to adopt the NIA

Reporting , Monitoring and Management of Risk

Legal and Regulatory Compliance

OCERT

QCERT

NESA

Oman

Qatar

UAE

NCSC

KSA

Government/Private Entities CAIT

KUWAIT

GCC- National level Cyber Initiatives

Regional Cyber Security InitiativesQatar UAE Saudi Arabia Oman Kuwait

National Strategy ✔ ✔ wip wip ✖

IS Standard ✔ ✔ ✖ ✔eGOV ✖

ICS Standard ✔ ✖ ✖ ✖ ✖

Dedicated Gov. Agency ✔ ✔ ✔ ✔ ✔

Vetting labs 2018 wip ✖ ✖ wip

Compliance Road Map ✔ ✔ ✖✔

eGOV ✖

National Cyber Risk Framework ✔ wip wip ‐ ✔KNIGF

Cyber Risk Mitigation

Protect the crown jewels

Being attacked is unavoidable, so how prepared are you?Can you answer “yes” to these five key questions?

1. Do you know what you have that

others may want?

3. Do you understand how these assets could

be accessed or disrupted?

2. Do you know how yourbusiness plans could make

these assets more vulnerable?

Valued assets

Intellectual property

People information

Financial information

Business information(strategy

performancetransactions)

4. Would you know if you werebeing attacked and if the assets

have been compromised?

5. Do you have a plan toreact to an attack and minimize

the harm caused?

Embrace Cyber security

Internal audit and risk management

Legal and regulatory

FinanceCustomer

Board and executive leadership

Information technology

Governance, risk and controls

Supply chain

► All cyber services► Table-tops

► Cyber intelligence► Cyber insurance

► Cyber economic Intelligence► Cyber-identity services

► Secure mobile services► Bring Your Own Device (BYOD)

► Cyber controls with supplier and vendor alignment

► Vendor risk management (VRM)

► IT strategy services► Big data security► Securing disruptive

technologies

Cyber -Security

► Securing infrastructure and application platforms

► Data integrity► Risk detection and

response► Controls compliance

► Governance► Risk management► Performance metrics

Data Privacy

Introduction to PrivacyPrivacy is the ability to control how you are identified, contacted, and located.

Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information

Generally Accepted Privacy Principles

from AICPA

Privacy requires control of

information

Professional information

Customer information

Financial information

• Name• Home or email address• Identification number• Physical characteristics• Sexual orientation

General

• Employment history• Employee relations• Compensation/remuneratio

n related matters• Background investigation

reports• Health & safety

Employee / third party

• Account numbers• Credit card / bank details• Calling details• Income• Credit information• Details collected during

customer acquisition (for KYC purposes)

Customers

AICPA: American Institute of Certified Public Accountants

Privacy in IS Context

PrivacyThe rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information.

ConfidentialityInformation designated as confidential is protected as committed or agreed.

IntegritySystem processing is complete, accurate, timely, and authorized.

AvailabilityThe system is available for operationand use as committed or agreed.

Data subjectsA data subject is an individual who is the subject of certain personal information. Data subjects can be:

► Applicants► Employees (current, former, retired)► Multiple contract employees► Expatriates► Contractors► Vendors/consultants► Dependents and beneficiaries► Retirement plan participants► Prospective clients► Consumers and customers ► Investors

► Professionals related to the industry► Patients► Business contacts, service providers,

agents, contractors, and suppliers► Market research participants► Opinion leaders (influential scientists,

academics, leading industry players, public officials, etc.)

► Activists► Visitors

Need of privacy

Privacy is multifaceted. It is a personal issue, a social issue, a legal issue, and a business issue. Organizations are challenged to effectively manage compliance, expectations, and risk across increasingly complex and geographically diverse enterprises.

• Compliance with laws, regulations, contracts and other agreements

• Managing financial risks• Countering identity theft and fraud• Managing other business risks to

brand and reputation

• Meeting customer expectations• Outsourcing, off-shoring, and

extended global enterprises• Evolving technologies, such as:• Internet-based services• Enterprise resource planning systems• Customer relationship management• Process harmonization, cost

reduction

Main Drivers Other Drivers

Where Privacy can be of interest...

• Face-to-face interaction• Forms and data entry

Manual Processes

• Devices and user equipment

• Front office• Back office• Infrastructure• Web

Systems

• Customer interfacing• Infrastructure• Business partner

Third Parties

A process that handles personal information can get segregated into different components. For each of these, we may have different interests. Consider the lifecycle of personal information, including its:

• Collection• Use and secondary use• Retention and storage• Transfer and disclosure• Disposal

What could go wrong...

Considering what could go wrong is important for understanding what needs to be done to effectively manage and protect personal information. These challenges are often tactical in nature and symptoms of broader issues.

Com

mon

Cha

lleng

es

Lost or stolen media

Over-sharing of personal information

Good intentions but misused data

Third party service provider control deficiency

Web site leakage

Hackers (inside and outside)

Unwanted marketing communications (telephone, email, SMS)

Fraudulent transactions

Social engineering, including phishing

Could result in...

Risk(s)

Identity theft

Brand and reputation damage

Litigation

Regulatory action

Direct financial

loss

Loss of market value

Loss of customer

and business

Becoming the example

of what could go wrong

Global Privacy landscape

LEGEND

National privacy or data protection law in place

Other significant privacy laws in place

Emerging privacy or data protection laws

Key data privacy and protection laws

► Federal Act Concerning the Protection of Personal DataAustria

► Danish Act on Processing of Personal Data

► French Data Protection Act

► Federal Data Protection Act

► Personal Data Act

Denmark

Finland

France

Germany

► Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interests

► Personal Data Protection CodeItaly

► Personal Data Protection Act

► Protection of Personal Information Bill (“Proposed Bill”)

► Organic Act 15/1999 on personal data protection

Poland

South Africa

Spain

Hungary

► Hellenic Data Protection LawGreece

Key data privacy and protection laws contd.

► The Swedish Personal Data ActSweden

► Federal Act on Data Protection of 19 June 1992

► Patchwork of federal and state law

► Personal Data Protection Act

► Data Protection Act 1998

Switzerland

UK

US

Netherlands

► Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interests

Russian Federation

Leading practices…

Perform Service Organization Control (SOC) 2examination

Implement Information Privacy framework

EY Perspective

SOC 2

Privacy standard (ISO 29100, BS 10012, GAPP

etc)

Privacy framework implementation

• Privacy governance structure.

• Business strategy to identify, collect, process, protect and share personal information.

• Risk assessment and gap analysis of controls and procedures.

• Design, and implementation of privacy initiatives.

• Sustaining and managing privacy processes

Data

Pro

tect

ion

Requ

irem

ents

Prin

cipl

es &

sta

ndar

d us

ed to

ass

ess

and

defin

e pr

ivac

y st

ruct

ure

Generally Accepted Privacy Principles

(GAPP)

Leading frameworks(ISO29100, BS10012)

Maturity Assessment

Privacy Procedures &

Controls

Identify maturity of data protection processes in the scale of

• Ad-hoc• Repeatable• Defined• Managed• Optimized

Define Data Protection framework to implement relevant controls for protecting sensitive/ critical/ confidential information

Privacy framework implementation

Identify Diagnose Design Deliver Sustain

•Document Personal Identifiable Information (‘PII’)Ac

tivity •Implement the

privacy framework

•Training•Awareness campaign

What to protect?Where is it stored?Who has access to it?Ob

ject

ive Evaluate existing

initiatives/ mitigation strategies

Co-develop mitigation strategies to address gaps

Implement mitigation strategies across the enterprise

Sustain momentum by creating awareness amongst stakeholders

•PII Modeling & Mapping

•Define Privacy Framework

•Conduct Privacy RISK Assessment (‘PRA’)

• Address• Date of birth• Financial

information• Medical details• Sexual orientation

• Regulatory & contractual requirements

• Financial, technical, reputational risk assessment

• Personal and sensitive personal information

• Policies & procedures

• Process alignment• IT system upgrade• Information

lifecycle management

• Awareness to customers, employees & third parties

• Training on data handling

Thank youEmail id: Sourabh.Sharma@kw.ey.com

Phone number:+96594002430